[Samba] acl's, Samba4 and rw shares

Thu Feb 16 11:23:25 MST 2012

On 02/16/2012 07:06 PM, Aaron E. wrote:
> If you apply ntacl to the share in windows you will not get this error
> "ERROR(<type 'exceptions.TypeError'>): uncaught exception - (61, 'No 
> data available') "
> That is simply saying there are no extra ntacl settings applied to the 
> share.. If there were you would see them..
>
> Unfortunately I cannot help with applying settings from the command 
> line, I was also trying to accomplish this to no avail.. I would 
> suggest setting share permissions through windows and then looking at 
> them via command line,, they are like nothing your going to want to 
> work with.
>
> I posed this question in samba-technical IRC, was advised that 
> samba-tool ntacl was more for scripting than actual management at this 
> point in time..
>
>
> I believe you'll get better results with tieing up a windows box..
>
> On 02/16/2012 12:31 PM, steve wrote:
>> On 02/16/2012 03:48 PM, Aaron E. wrote:
>>> The permissions are slightly different for s4, as in you will be
>>> setting most of the folder perissions at the windows level. Youll need
>>> to make sure that user_xattr and acl is enabled for the filesystem.
>>>
>> That seems OK:
>> mount | grep xattr
>> /dev/sda1 on / type ext4 (rw,errors=remount-ro,user_xattr,commit=0)
>>> You can't really chmod per say, youll need to access the security tab
>>> for the share and apply permissions you need at that level...
>>>
>>
>>> you can view the permissions using the samba-tool for the share at the
>>> nix level like so
>>>
>>> samba-tool ntacl folder/file
>>>
>>> you'll see this gives a bunch of jibberish but you will see it
>>> working.. If you havn't assigned perms through windows yet it will
>>> return stating no permissions or something to that effect..
>>>
>> I tried this:
>> -rw-r----- 1 steve2 debusers 0 2012-02-16 14:47 /home/dropbox/s2
>> samba-tool ntacl get /home/dropbox/s2
>> ERROR(<type 'exceptions.TypeError'>): uncaught exception - (61, 'No data
>> available')
>> File
>> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
>> line 162, in _run
>> return self.run(*args, **kwargs)
>> File
>> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py",
>> line 106, in run
>> acl = getntacl(lp, file, xattr_backend, eadb_file)
>> File "/usr/local/samba/lib/python2.7/site-packages/samba/ntacls.py",
>> line 62, in getntacl
>> xattr.XATTR_NTACL_NAME)
>>
>> samba-tool ntacl set /home/dropbox/s2
>> Usage: samba-tool ntacl set <acl> <file> [options]
>>
>> But I can't find that documented anywhere. Would I need to look in the
>> source to get a list of options? Basically I'm trying not to have to tie
>> up a windows box to do his stuff.
>>
>>> Youneed to set the setfacl -m default:user:xxx folder for inheritance
>>> in linux but windows users will always use ntacls I believe
>>>
>> I've done a few ldbsearch's in /usr/local/samba/private but I can't find
>> anything to do with the dropbox share I have defined.
>>
>> Any ideas?
>> Thanks
>>>
>>>
>>> On 02/16/2012 06:37 AM, steve wrote:
>>>> Hi
>>>> I'm trying to make a share called dropbox rw for members of a group.
>>>>
>>>> /usr/local/samba/etc/smb.conf
>>>> [global]
>>>> server role = domain controller
>>>> workgroup = CACTUS
>>>> realm = hh3.site
>>>> netbios name = HH3
>>>> passdb backend = samba4
>>>> template shell = /bin/bash
>>>> [netlogon]
>>>> path = /usr/local/samba/var/locks/sysvol/hh3.site/scripts
>>>> read only = No
>>>> [sysvol]
>>>> path = /usr/local/samba/var/locks/sysvol
>>>> read only = No
>>>> [home]
>>>> path = /home/CACTUS/%USERNAME%
>>>> read only = No
>>>> [profiles]
>>>> path = /home/CACTUS/profiles%USERNAME%
>>>> read only = No
>>>> [dropbox]
>>>> path = /home/dropbox
>>>> read only = No
>>>>
>>>> I have
>>>>
>>>> mkdir -m 0770 /home/dropbox
>>>> chown steve:debusers /home/dropbox
>>>> chmod g+s /home/dropbox/
>>>> setfacl -Rm g:debusers:rw,d:g:debusers:rw /home/dropbox/
>>>>
>>>> getfacl /home/dropbox/
>>>> getfacl: Removing leading '/' from absolute path names
>>>> # file: home/dropbox/
>>>> # owner: steve
>>>> # group: debusers
>>>> # flags: -s-
>>>> user::rwx
>>>> group::rwx
>>>> group:debusers:rw-
>>>> mask::rwx
>>>> other::---
>>>> default:user::rwx
>>>> default:group::rwx
>>>> default:group:debusers:rw-
>>>> default:mask::rwx
>>>> default:other::---
>>>>
>>>> If I create a file in the share using touch (or right click on the 
>>>> share
>>>> > new in explorer), no problem:
>>>>
>>>> steve2 at hh3:~$ touch /home/dropbox/hola
>>>> steve2 at hh3:~$ ls -l /home/dropbox/hola
>>>> -rw-rw----+ 1 steve2 debusers 0 2012-02-16 12:11 /home/dropbox/hola
>>>>
>>>> But, if I create the file in my home folder (or the mapped home folder
>>>> drive on Windows) and then copy or drag it to the share, I don't get
>>>> group rw:
>>>> steve2 at hh3:~$ touch hola2
>>>> steve2 at hh3:~$ cp hola2 /home/dropbox/
>>>> steve2 at hh3:~$ ls -la /home/dropbox/hola2
>>>> -rw-r-----+ 1 steve2 debusers 0 2012-02-16 12:12 /home/dropbox/hola2
>>>>
>>>> None of the smb.conf force group nor acl commands are recognised. I
>>>> could cron the setfacl as a workaround or get the users to chmod it to
>>>> 660 but, well. . .
>>>>
>>>> 1. Is it possible to copy a file to a folder and have it inherit the
>>>> parent folder permissions?
>>>> 2. How do you chmod 660 on windows?
>>>>
>>>> Thanks,
>>>> Steve
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>
>>
> Hi
Thanks for taking the time to explain this. Just thinking out loud, but 
since windows will be storing stuff on an ext4 filesystem, whatever the 
ntacl does must be doable in Linux too no? Or am I missing the point 
here? Anyway, the next stage is to find where to set the ntacl from the 
windows side. Is it a case of searching or is it buried deep inside the 
registry somewhere?

BTW, we have setup the S4 users with posix attrs and files are stored 
correctly on both Linux and windows. We map via nss-pam-ldapd on Linux. 
Not set any ntacls there, so far that is since we've only just started 
to experiment with rw shares..
Cheers,
Steve